cbcvebase.
CVE-2011-4828
published 2011-12-15

CVE-2011-4828: Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by…

PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.48%
99.2th percentile
Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in temp/.

Affected

1 ranges
VendorProductVersion rangeFixed in
autosectoolsv-cms

Detection & IOCsextracted from sources · hover to see the quote

pathincludes/inline_image_upload.php
pathtemp/
url${base}temp/${payload_name}
  • Detect unauthenticated POST requests to includes/inline_image_upload.php containing multipart/form-data with a PHP (or other executable) file extension in the filename field.
  • Alert on GET requests to the temp/ directory of a V-CMS installation immediately following a POST to inline_image_upload.php, as this is the two-stage upload-then-execute pattern used by the exploit.
  • Fingerprint V-CMS 1.0 installations by matching the response body pattern /V\-CMS v1\.[0-1]/ in HTTP responses, as used by the Metasploit check method.
  • Flag multipart POST requests to inline_image_upload.php using the static boundary value '----x', which is hardcoded in the public Metasploit exploit.
  • ·V-CMS 1.1 added extension whitelisting (jpg, jpeg, png, gif, bmp), but the Metasploit module notes that uploading a PHP payload disguised with one of those extensions may still be exploitable depending on server configuration (e.g., Apache mod_mime double-extension handling).
  • ·The default TARGETURI for the Metasploit module is '/vcms/', so detection rules scoped only to the root path may miss deployments at this sub-path.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.